No series of posts would be complete if I didn’t relate it back to my new fabulous job some how…

The Microsoft Threat Management Gateway is secure by default.  This means everything you want to do or rather connect to online must be configured properly within the TMG console.  The BigFix Enterprise Client is no different.

By default the BigFix infrastructure communicates on port 52311.  Therefore we must let TMG know that we’d like our clients to talk over this port.

Below is a graphical step by step on how this is done:

1. Lets start by creating a new row…

ForeFront TMG->Firewall Policy->Tasks (tab)->Create Access Rule

2. Of course we’ll be Allowing this port to communicate

3. We’ll be creating a brand new protocol… so hit Add then in the Add Protocols window click New->Protocol

4. Name your protocol…

5. We’ll be adding the BigFix TCP port 52311 here… (You may have deployed via a different port… specify your custom BigFix port here…)

6. We have no secondary connections that are needed… so click next and hit finish

7. Next we will expand the “User-Defined” branch and choose our “BigFix Communication Protocol” we just defined and hit Add->Close->Next

8. Specify who is allowed to communicate… Source which should be your internal network.

9. And specify our destination which in my case I am setting up a secondary site and all these clients will communicate with my BigFix Root server somewhere else on the internet.  (later on I’ll setup a relay on one of the computers at this location and adjust TMG firewall rules.)

10.  Because BigFix is my main management for all my computers, I want every computer to have permissions to communicate via this port… so I’ll leave the default “All Users” here… Next->Finish

We’ll probably want to make sure this is our first firewall rule so it is not interfered with by some other rule.  After hitting finish it should look like this:

Lastly we’ll need to “Apply” this new rule set in order to get things working.